Hi!

I just got a high severity error reported. Can anyone shed any clue as to what it means, and if something should be done about it?

Never had a "high" severity error reported before.

Everything seems to working as it should, and the checkmarks are green.

NIS 18.1.0.37, Windows 7 64-bit

Thanks.

Category: Norton Error Reporting
Date & Time,Risk,Activity,Status,Error Type,Error Time,Error ID,Error Class,Product Name,Product Version,Process ID,Thread ID,Process Name,Process Version,Process Timestamp,Module Name,Module Version,Module Timestamp,Module Offset,Hash Code,Component Name,Component Id,Error Code,Severity,Error File
2010-09-06 12:20,Info,Norton Error Reporting Submission,Submitted,Error Condition Detected,den 5 september 2010 22:25,{DC283A05-3A9A-4021-908E-CBD9F6D54E0B},0x50D561D0,Norton Internet Security,18.1.0.37,0xB38,0x184,ccSvcHst,10.0.1.8,den 23 juli 2010 02:30,SNDSVC,11.0.1.6,den 20 juli 2010 18:44,0x1F71B,0xE279C487,SymNetDrv,0x1,0x0,High,"C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\50D561D0\DC283A05-3A9A-4021-908E-CBD9F6D54E0B.dat, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\50D561D0\DC283A05-3A9A-4021-908E-CBD9F6D54E0B.dat.tmp, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{0233D794-99EF-43E5-A4F6-9C5C8EDE85F4}\{9DDBC67A-4666-4F0A-9C72-A3A07824635D}.etl, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{0233D794-99EF-43E5-A4F6-9C5C8EDE85F4}\SQ_{936FB836-20CB-4F27-8C34-B45CA0F599E7}.plist"

The Module Name shown in the the Error record usually refers to a DLL file with the same name, typically located in the Norton product directories. The 'Details' tab in the file properties dialog for 'SNDSvc.dll' provides the following information:

File description: Symantec Network Service Plugin

Product name:    Symantec Security Drivers

As for whether everything is working as it should be, I'd be inclined to err on the side of caution here. I've had a situation where I've received one of those 'please open the invoice' emails and wondered why Norton didn't clean it. I subsequently re-scanned the email in question and the Virus Scanner immediately quarantined a Trojan Horse found in the email in question. It turns out, according to the Norton Error Reporting in the History log, that 'ccEmlPxy.dll' (Symantec Email Proxy) had silently failed with a High severity error earlier during the day. Given that the Errors are not recorded in real time, it's probably best for Symantec themselves to provide a definitive answer on how to address a High severity error...

During the NIS 2011 beta testing, I found that Symantec employee reese_anschultz was helpful with investigating the errors recorded under 'Norton Error Reporting' in the History log. I've asked a Moderator to bring your thread to Reese's attention.

Bombastus,

Since this error is reported by a component that I'm directly responsible for I had my team do some research into this.

This error occurs because, during startup, the firewall determined that it was disabled by the operating system. When this is detected the error is logged and this specific area of the firewall is automatically reinstalled and enabled.

It looks like this machine has only reported two errors from a Norton product and both errors are this same issue on the same day. Since the problem hasn't happened since and no other errors have been reported your machine is probably safe. If this problem keeps reoccurring it might useful to research this further.

Thanks you very much! Glad to hear it.

I do think the date and time indicated in the report points at the same time I rebooted the system. Windows must have disabled it for some reason during boot, but NIS must have reenabled it real quick, because I know I was at the computer at the time and didn't get any security warnings or anything about not being protected by a firewall.

It hasn't happened since then, so everyhing seems fine. Thank you again!

I got another one today! Could I get some help encrypting this one, too, please? Would be highly appreciated. Again, no visible signs of anything being wrong.

Category: Norton Error Reporting
Date & Time,Risk,Activity,Status,Error Type,Error Time,Error ID,Error Class,Product Name,Product Version,Process ID,Thread ID,Process Name,Process Version,Process Timestamp,Module Name,Module Version,Module Timestamp,Module Offset,Hash Code,Component Name,Component Id,Error Code,Severity,Error File
2010-09-29 13:49,Info,Norton Error Reporting Submission,Submitted,Error Condition Detected,den 28 september 2010 20:18,{93F08390-5501-44B3-BCDD-00C81F195667},0xFDB6E1EA,Norton Internet Security,18.1.0.37,0x548,0xE30,ccSvcHst,10.0.1.8,den 23 juli 2010 02:30,ISDATASV,18.1.0.37,den 17 augusti 2010 03:29,0x2AF2F,0xB73EE259,ISDATASV,0x0,0x80070021,High,"C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\FDB6E1EA\93F08390-5501-44B3-BCDD-00C81F195667.dat, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\FDB6E1EA\93F08390-5501-44B3-BCDD-00C81F195667.dat.tmp, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{FBA1EC48-1BCC-4E8D-AD7E-78954064D3A9}\{5E1DE08F-F905-4DB5-B80D-DA002B064960}.etl, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{FBA1EC48-1BCC-4E8D-AD7E-78954064D3A9}\SQ_{0CD38210-FC5D-4A6F-A5B4-993643EBDD88}.plist"

---

Bombastus wrote:

I got another one today! Could I get some help encrypting this one, too, please? Would be highly appreciated. Again, no visible signs of anything being wrong.

 

Category: Norton Error Reporting
Date & Time,Risk,Activity,Status,Error Type,Error Time,Error ID,Error Class,Product Name,Product Version,Process ID,Thread ID,Process Name,Process Version,Process Timestamp,Module Name,Module Version,Module Timestamp,Module Offset,Hash Code,Component Name,Component Id,Error Code,Severity,Error File
2010-09-29 13:49,Info,Norton Error Reporting Submission,Submitted,Error Condition Detected,den 28 september 2010 20:18,{93F08390-5501-44B3-BCDD-00C81F195667},0xFDB6E1EA,Norton Internet Security,18.1.0.37,0x548,0xE30,ccSvcHst,10.0.1.8,den 23 juli 2010 02:30,ISDATASV,18.1.0.37,den 17 augusti 2010 03:29,0x2AF2F,0xB73EE259,ISDATASV,0x0,0x80070021,High,"C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\FDB6E1EA\93F08390-5501-44B3-BCDD-00C81F195667.dat, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\CmnClnt\ErrorInstances\FDB6E1EA\93F08390-5501-44B3-BCDD-00C81F195667.dat.tmp, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{FBA1EC48-1BCC-4E8D-AD7E-78954064D3A9}\{5E1DE08F-F905-4DB5-B80D-DA002B064960}.etl, C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\ErrorManagement\Queue\Incoming\SQ_{FBA1EC48-1BCC-4E8D-AD7E-78954064D3A9}\SQ_{0CD38210-FC5D-4A6F-A5B4-993643EBDD88}.plist"

---

This is a known timing issue where the number of trusted files is not reported correctly. A fix should be released in a future update. It is not a security issue and you remain fully protected.

Cheers, thanks a lot!

 Any thoughts on these errors, Reese? NIS 2011 has been installed on this PC for less than a week.

---

elsewhere wrote:

 Any thoughts on these errors, Reese? NIS 2011 has been installed on this PC for less than a week.

 

First off, this machine has had numerous issues since September of last year.

The 'SCANLESS' errors all have the same cause, are uncommon and indicate that reputation data for a specific file couldn't be gathered. We had some server issues around the times of these errors that probably would explain these.

The earliest 'NCW' is due to a very busy system. There are some possible solutions for this but I'm not sure if we can make the problem go away altogether. I've brought this to the appropriate team's attention.

The most recent 'NCW' is very rare and appears to be related to some start-up problem. The 'avModule' item a second latter is similar. You probably were notified that something was wrong at that time. Unfortunately there's not enough information to go by on this to do much. Take note of the module offsets in the current entries and if they keep occurring, let me know.

The 'ntdll' issue is known but not particularly common. It is currently being researched and I have brought your message to the appropriate team's attention. It also is a start-up problem and may, or may not, be timing related. There are some weird properties of it that suggest that the operating system might be damaged. You might want to run "sfc /scannow" to make sure that your operating system is alright.

---

reese_anschultz wrote:

 

First off, this machine has had numerous issues since September of last year.

 

The 'SCANLESS' errors all have the same cause, are uncommon and indicate that reputation data for a specific file couldn't be gathered. We had some server issues around the times of these errors that probably would explain these.

 

The earliest 'NCW' is due to a very busy system. There are some possible solutions for this but I'm not sure if we can make the problem go away altogether. I've brought this to the appropriate team's attention.

 

The most recent 'NCW' is very rare and appears to be related to some start-up problem. The 'avModule' item a second latter is similar. You probably were notified that something was wrong at that time. Unfortunately there's not enough information to go by on this to do much. Take note of the module offsets in the current entries and if they keep occurring, let me know.

 

The 'ntdll' issue is known but not particularly common. It is currently being researched and I have brought your message to the appropriate team's attention. It also is a start-up problem and may, or may not, be timing related. There are some weird properties of it that suggest that the operating system might be damaged. You might want to run "sfc /scannow" to make sure that your operating system is alright.

 

---

Thanks Reese

I ran the 'sfc /scannow' command as you suggested and it found and repaired some corrupt files.

Regarding the SCANLESS errors, I found the file name entry that is causing the errors in the 'Application Ratings' feature under 'Highest Performance Impact':

The 'nsr2_patch_all.exe' file (update to Norton Save and Restore 2) no longer exists on the system yet it is still showing up in the 'Highest Performance Impact' list. Clicking on this file name returns a 'File Not Found / try again later' dialog box and triggers the error. I recently noticed this same behaviour in NIS 2010 whereby uninstalled applications were still showing in the above list, albeit with an 'Unproven' Trust Level. Shouldn't these orphaned entries be deleted from the list when the Application Ratings window is refreshed?

Regarding the 'ntdll' error, I'm starting to think that there may be a compatibility problem between NIS 2011 and Norton Save and Restore 2.0. It appears that NIS has extended it's Tamper Protection features to protect components of Save and Restore as well. Is this expected behaviour? The 'unauthorized access blocked' alert targeting Save and Restore occurred at the same time as the 'ntdll' error. This may be of use to your team.

Thanks for the explanation about the SCANLESS errors. I'll pass that information to the team.

Based upon the way tamper protection works, it looks like Norton Save and Restore 2 has specifically requested to have its area protected but I don't know anything specific about this.

I'm reassured by the fact that sfc did find something and repair it. Hopefully your Norton product, along with your whole system, will be more reliable now and you won't see any additional ntdll errors. The 'unauthorized access blocked' notice is actually an after-effect of the ntdll error. Windows Error Reporting is reporting the ntdll error to Microsoft and the access is being logged and limited by the tamper protection feature.

P.S. While documenting the SCANLESS issue I just noticed that your system has made six more submissions and they're all for this issue. Looks like you were busy isolating this. Thanks!

Regarding the SCANLESS errors, it looks like, in a future update, files that have been deleted will no longer show in the Application Ratings window and the problem, therefore, should no longer occur.